Make openssl X509 handle the failure case return code from X509_time_cmp.

While we are in here also make it notice if time values in a certificate are bogus, and say so in the output. ok bcook@ jsing@
author: beck <> 2020-05-10 17:13:31 +0000
committer: beck <> 2020-05-10 17:13:31 +0000
commit: 2dbddc3bc2d66017076fb590ed025131e97b6703 (patch)
tree: f035385b5c768fbadf8ee1915194bcc9866f08aa /src
parent: b8698e11d9883dab7da69566fc2cd28afaf199a8 (diff)
download: openbsd-2dbddc3bc2d66017076fb590ed025131e97b6703.tar.gz
openbsd-2dbddc3bc2d66017076fb590ed025131e97b6703.tar.bz2
openbsd-2dbddc3bc2d66017076fb590ed025131e97b6703.zip
1 files changed, 16 insertions, 5 deletions
diff --git a/src/usr.bin/openssl/x509.c b/src/usr.bin/openssl/x509.c
index b25a7c828c..14c61261ee 100644
--- a/src/usr.bin/openssl/x509.c
+++ b/src/usr.bin/openssl/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.17 2019/01/19 21:17:05 jsg Exp $ */
+/* $OpenBSD: x509.c,v 1.18 2020/05/10 17:13:31 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -774,12 +774,20 @@ x509_main(int argc, char **argv)
                        } else if (text == i) {
                                X509_print_ex(STDout, x, nmflag, certflag);
                        } else if (startdate == i) {
+                                ASN1_TIME *nB = X509_get_notBefore(x);
                                BIO_puts(STDout, "notBefore=");
-                                ASN1_TIME_print(STDout, X509_get_notBefore(x));
+                                if (ASN1_time_parse(nB->data, nB->length, NULL, 0) == -1)
+                                        BIO_puts(STDout, "INVALID RFC5280 TIME");
+                                else
+                                        ASN1_TIME_print(STDout, nB);
                                BIO_puts(STDout, "\n");
                        } else if (enddate == i) {
+                                ASN1_TIME *nA = X509_get_notAfter(x);
                                BIO_puts(STDout, "notAfter=");
-                                ASN1_TIME_print(STDout, X509_get_notAfter(x));
+                                if (ASN1_time_parse(nA->data, nA->length, NULL, 0) == -1)
+                                        BIO_puts(STDout, "INVALID RFC5280 TIME");
+                                else
+                                        ASN1_TIME_print(STDout, nA);
                                BIO_puts(STDout, "\n");
                        } else if (fingerprint == i) {
                                int j;
@@ -863,8 +871,11 @@ x509_main(int argc, char **argv)
        }
        if (checkend) {
                time_t tcheck = time(NULL) + checkoffset;
+                int timecheck = X509_cmp_time(X509_get_notAfter(x), &tcheck);
-                if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) {
+                if (timecheck == 0) {
+                        BIO_printf(out, "Certificate expiry time is invalid\n");
+                        ret = 1;
+                } else if (timecheck < 0) {
                        BIO_printf(out, "Certificate will expire\n");
                        ret = 1;
                } else {
author	beck <>	2020-05-10 17:13:31 +0000
committer	beck <>	2020-05-10 17:13:31 +0000
commit	2dbddc3bc2d66017076fb590ed025131e97b6703 (patch)
tree	f035385b5c768fbadf8ee1915194bcc9866f08aa /src
parent	b8698e11d9883dab7da69566fc2cd28afaf199a8 (diff)
download	openbsd-2dbddc3bc2d66017076fb590ed025131e97b6703.tar.gz openbsd-2dbddc3bc2d66017076fb590ed025131e97b6703.tar.bz2 openbsd-2dbddc3bc2d66017076fb590ed025131e97b6703.zip

diff --git a/src/usr.bin/openssl/x509.c b/src/usr.bin/openssl/x509.c index b25a7c828c..14c61261ee 100644 --- a/src/usr.bin/openssl/x509.c +++ b/src/usr.bin/openssl/x509.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509.c,v 1.17 2019/01/19 21:17:05 jsg Exp $ */	1	/* $OpenBSD: x509.c,v 1.18 2020/05/10 17:13:31 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -774,12 +774,20 @@ x509_main(int argc, char **argv)
774	} else if (text == i) {	774	} else if (text == i) {
775	X509_print_ex(STDout, x, nmflag, certflag);	775	X509_print_ex(STDout, x, nmflag, certflag);
776	} else if (startdate == i) {	776	} else if (startdate == i) {
		777	ASN1_TIME *nB = X509_get_notBefore(x);
777	BIO_puts(STDout, "notBefore=");	778	BIO_puts(STDout, "notBefore=");
778	ASN1_TIME_print(STDout, X509_get_notBefore(x));	779	if (ASN1_time_parse(nB->data, nB->length, NULL, 0) == -1)
		780	BIO_puts(STDout, "INVALID RFC5280 TIME");
		781	else
		782	ASN1_TIME_print(STDout, nB);
779	BIO_puts(STDout, "\n");	783	BIO_puts(STDout, "\n");
780	} else if (enddate == i) {	784	} else if (enddate == i) {
		785	ASN1_TIME *nA = X509_get_notAfter(x);
781	BIO_puts(STDout, "notAfter=");	786	BIO_puts(STDout, "notAfter=");
782	ASN1_TIME_print(STDout, X509_get_notAfter(x));	787	if (ASN1_time_parse(nA->data, nA->length, NULL, 0) == -1)
		788	BIO_puts(STDout, "INVALID RFC5280 TIME");
		789	else
		790	ASN1_TIME_print(STDout, nA);
783	BIO_puts(STDout, "\n");	791	BIO_puts(STDout, "\n");
784	} else if (fingerprint == i) {	792	} else if (fingerprint == i) {
785	int j;	793	int j;
@@ -863,8 +871,11 @@ x509_main(int argc, char **argv)
863	}	871	}
864	if (checkend) {	872	if (checkend) {
865	time_t tcheck = time(NULL) + checkoffset;	873	time_t tcheck = time(NULL) + checkoffset;
866		874	int timecheck = X509_cmp_time(X509_get_notAfter(x), &tcheck);
867	if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) {	875	if (timecheck == 0) {
		876	BIO_printf(out, "Certificate expiry time is invalid\n");
		877	ret = 1;
		878	} else if (timecheck < 0) {
868	BIO_printf(out, "Certificate will expire\n");	879	BIO_printf(out, "Certificate will expire\n");
869	ret = 1;	880	ret = 1;
870	} else {	881	} else {